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STATECHARTS  VIA  PROCESS  ALGEBRA 


GERALD  LUTTGENt,  MICHAEL  VON  DER  BEECK^,  AND  RANGE  CLEAVELAND^ 

Abstract.  Statecharts  is  a  visual  language  for  specifying  the  behavior  of  reactive  systems.  The  language 
extends  finite-state  machines  with  concepts  of  hierarchy,  concurrency,  and  priority.  Despite  its  popularity 
as  a  design  notation  for  embedded  systems,  precisely  defining  its  semantics  has  proved  extremely  challenging. 
In  this  paper,  a  simple  process  algebra,  called  Statecharts  Process  Language  (SPL),  is  presented,  which  is 
expressive  enough  for  encoding  Statecharts  in  a  structure-preserving  and  semantics-preserving  manner.  It  is 
established  that  the  behavioral  relation  bisimulation,  when  applied  to  SPL,  preserves  Statecharts  semantics. 

Key  words,  bisimulation,  compositionality,  operational  semantics,  process  algebra,  Statecharts 

Subject  classification.  Computer  Science 

1.  Introduction.  Statecharts  is  a  visual  language  for  specifying  the  behavior  of  reactive  systems  [7]. 
The  language  extends  the  traditional  notation  of  finite-state  machines  with  concepts  of  (i)  hierarchy,  so 
that  one  may  speak  of  a  state  as  having  sub-states,  (ii)  concurrency,  thereby  allowing  the  definition  of 
systems  having  simultaneously  active  subsystems,  and  (iii)  priority,  so  that  one  may  express  that  certain 
system  activities  have  precedence  over  others.  Statecharts  has  become  popular  among  engineers  as  a  design 
notation  for  embedded  systems,  and  commercially  available  tools  provide  support  for  it  [10].  Nevertheless, 
precisely  defining  the  semantics  of  the  language  has  proved  extremely  challenging,  with  a  variety  of  proposals 
[8,  9,  18,  19,  21,  28,  29]  being  offered  for  several  dialects  [34]  of  the  language.  While  the  research  results 
have  yielded  insight  into  different  aspects  of  the  notation,  no  definitive  account  has  emerged.  This  has  an 
obviously  undesirable  practical  ramification;  tool  builders  for  Statecharts  must  resort  to  ad  hoc  decisions 
in  their  implementations  of  semantically-based  tools,  such  as  model  checkers  [16,  23],  and  this  means  that 
designs  developed  by  engineers  have  a  meaning  that  may  vary  from  implementation  to  implementation. 

The  semantic  subtlety  of  Statecharts  arises  from  the  language’s  capability  for  defining  transitions  whose 
enablement  disables  other  transitions.  A  Statechart  may  react  to  an  event  by  engaging  in  an  enabled 
transition,  thereby  performing  a  so-called  micro  step,  which  may  generate  new  events  that  may  in  turn 
trigger  new  transitions  while  disabling  others.  When  this  chain  reaction  comes  to  a  halt,  one  execution 
step,  a  so-called  macro  step,  is  complete.  Technically,  the  difficulty  for  defining  an  operational  semantics 
capturing  the  ‘"macro-step”  behavior  of  Statecharts  arises  from  the  fact  that  such  a  semantics  should  exhibit 
the  following  desirable  properties:  (i)  the  synchrony  hypothesis  [2],  which  guarantees  that  a  reaction  to  an 
external  event  terminates  before  the  next  event  enters  the  system,  (ii)  compositionality,  which  ensures  that 
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2.  Statecharts.  Statecharts  is  a  specification  language  for  reactive  systems  [27],  i.e.,  concurrent  systems 
which  are  characterized  by  their  ongoing  interaction  with  their  environment.  They  subsume  finite  state 
machines  whose  transitions  are  labeled  by  pairs  of  events,  where  the  first  component  is  referred  to  as  trigger 
and  may  include  negated  events.,  and  the  second  component  is  referred  to  as  action.  Intuitively,  if  the 
environment  offers  the  events  in  the  trigger,  but  not  the  negated  ones,  then  the  transition  is  triggered 
and  can  be  executed;  it  fires,  thereby  producing  the  events  in  the  label’s  action.  Concurrency  is  achieved 
by  allowing  complex  Statecharts  to  be  composed  from  more  simple  ones  running  in  parallel,  which  may 
communicate  via  broadcasting  events.  Elementary,  or  basic  states  in  Statecharts  may  also  be  hierarchically 
refined  by  injecting  other  Statecharts.  Concurrency  and  hierarchy  are  especially  important  concepts,  since 
they  allow  for  bottom-up  and  top-down  specifications  of  systems. 


Fig.  2.1.  Example  Statechart 

As  an  example,  consider  the  Statechart  depicted  in  Figure  2.1.  It  consists  of  a  so-called  and- state.,  labeled 
by  729,  which  denotes  the  parallel  composition  of  the  two  Statecharts  labeled  by  723  and  n^.  Actually,  723  and 
728  sire  the  names  of  or-states.,  describing  sequential  state  machines.  The  first  consists  of  two  states  721  and 
722  that  are  connected  via  transition  ti  with  label  -^a/b.  The  label  specifies  that  ti  is  triggered  by  “^a,  i.e., 
by  the  absence  of  event  a,  and  produces  event  b.  States  721  and  722  are  not  refined  further  and,  therefore, 
are  also  referred  to  as  basic  states.  Or-state  ns  is  refined  by  or-state  uq  and  basic  state  727,  connected  via  a 
transition  labeled  by  b/a.  Or-state  726  is  further  refined  by  basic  states  724  and  725,  and  transition  t2  labeled 
by  b/c. 

It  should  be  mentioned  that  the  variant  of  Statecharts  considered  here  does  not  include  “features”  present 
in  some  other  variants.  In  particular,  we  prohibit  interlevel  transitions.,  i.e.,  transitions  crossing  borderlines 
of  states,  and  triggers  of  the  form  irin,  where  n  is  the  name  of  a  state.  Moreover,  state  hierarchy  does  not 
impose  implicit  priorities  to  transitions,  where  transitions  on  higher  levels  of  the  hierarchy  have  precedence 
over  transitions  on  lower  levels;  e.g.,  transition  ts  does  not  have  priority  over  transition  t2  in  our  example. 
The  impact  of  altering  our  approach  to  accommodate  these  concepts  is  discussed  in  Section  6. 

2.1.  Statecharts  Terms.  For  our  purposes,  it  is  convenient  to  represent  Statecharts  not  visually  but 
by  terms.  This  is  also  done  in  related  work  [17,  18,  31],  and  our  approach  closely  follows  the  one  described 
in  [18]-  Formally,  let  A/"  be  a  countable  set  of  names  for  Statecharts  states,  T  be  a  countable  set  of  names 
for  Statecharts  transitions,  and  11  be  a  countable  set  of  Statecharts  events.  Moreover,  we  associate  with 
every  event  e  €  11  its  negated  counterpart  -le.  We  also  lift  negation  to  negated  events  by  defining  -i->e  =df  e* 
Finally,  we  write  for  {-le  \  e  E  E}/if  E  CUU  {->e  |  e  €  11}.  Then,  the  set  of  Statecharts  terms  is  defined 
to  be  the  least  set  satisfying  the  following  rules. 
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Table  2.2 

Step-construction  function 


function  step-construction{s^  E)]  var  T  :=  0; 

while  T  c  enabled(s,i;,r)  do  choose  t  €  enabled(s,  jE,T)  \  T;  T  :=Tu{t}  od; 
return  T 

Table  2.3 
Function  update 

update([n],r')  =df  [n]  update([n  :  ^,T^)  =df  [n  :  (update(si,  Ti), . . .  ,  update(sfc, T^))] 


[n  :  s;/;T] 

if  T'  =  0 

update([7i  :  s;Z;T],T')  =df  i 

[n  :  (si,... 
[n  :  (si,... 

,  update(s/,T'), . 
,default(5m), .  •  • 

••  ^Sk)\hT] 

if  0  T'  C  trans(s;) 
if0^T'  =  {(Z',/,FJ,A,m>}CT 

.  [«] 

otherwise 

micro  steps,  or  transitions,  that  are  triggered  by  events  offered  by  the  environment  or  generated  by  other 
micro  steps,  that  are  mutually  consistent,  compatible,  and  relevant,  and  that  obey  causality.  The  Statecharts 
principle  of  global  consistency,  which  prohibits  an  event  to  be  present  and  absent  in  the  same  macro  step,  is 
subsumed  by  the  notions  of  triggered  and  compatible. 

A  transition  t  £  trans(s)  is  consistent  with  T  C  trans(s),  in  signs  t  £  consistent(s,  T),  if  t  is  not  in  the 
same  parallel  component  as  any  transition  in  T.  ‘Formally, 

consistent(s,  T)  =df  {t  £  trans(s)  |  W  £  T.  t±st'}  •  (2*1) 

Here,  we  write  t±sf,  if  t  =  t\  or  if  there  exists  an  and-state  [n  :  (si,.. .  ,Sk)]  in  s,  i.e.,  n  £  states(s),  such 

that  t  £  trans(si)  and  t'  £  trans(sj)  for  some  I  <  i,j  <  k  satisfying  i  ^  j. 

A  transition  t  £  trans(s)  is  compatible  to  all  transitions  in  T  C  trans(s),  in  signs  t  £  compatible(s,  T),  if 
no  event  produced  by  t  appears  negated  in  a  trigger  of  a  transition  in  T.  Formally, 

compatible(s,  T)  =df  ^  trans(s)  |  W  £  T.  act(i)  n  -iev(t')  =  0}  (2.2) 

A  transition  t  £  trans(s)  is  relevant  for  s,  in  signs  t  £  relevant(s),  if  the  root  of  the  source  state  of  t  is  in 

the  configuration  of  s.  Formally, 

relevant (s)  =df  {t  ^  trans(s)  |  root(out(t))  £  config(s)}  (2.3) 

A  transition  t  £  trans(s)  is  triggered  by  a  set  E  of  events,  in  signs  t  £  triggered(s,  E),  if  the  positive,  but 
not  the  negative,  trigger  events  of  t  are  in  E.  Formally, 

triggered(s, E)  =df  {t  £  trans(s)  | ev(t)  D  H  C  £"  and  -i(ev(t)  fi ->11)  HE  =  9}  (2.4) 

Finally,  a  transition  t  is  enabled  in  configuration  s  regarding  a  set  E  of  events  and  a  set  T  of  transitions, 
if  i  G  enabled(s, E',T),  where 

enabled(s,  E,  T)  =df  relevant(s)  D  consistent(s,  T)  D  triggered(s,  £*  U  [J  act(i))  (T  compatible(s,  T)  (2.5) 

teT 
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and  synchronization  in  concurrent  systems.  The  role  of  actions  in  process  algebras  corresponds  to  the  one 
of  events  in  Statecharts.  A  clock  represents  the  progress  of  time,  which  manifests  itself  in  a  recurrent  global 
synchronization  event,  the  clock  transition,  in  which  all  process  components  are  forced  to  take  part.  However, 
action  and  clock  transitions  are  not  orthogonal  concepts  that  can  be  specified  independently  from  each  other, 
but  are  connected  via  the  maximal  progress  assumption  [11,  35].  Maximal  progress  implies  that  progress  of 
time  is  determined  by  the  completion  of  internal  computations  and,  thus,  mimics  the  synchrony  hypothesis 
of  Statecharts.  The  key  idea  for  embedding  Statecharts  terms  in  a  timed  process  algebra  is  to  represent 
a  macro  step  as  a  sequence  of  micro  steps  that  is  enclosed  by  clock  transitions,  signaling  the  beginning 
and  the  end  of  the  macro  step,  respectively.  This  sequence  implicitly  encodes  causality  and,  thus,  leads  to 
a  compositional  semantics  for  Statecharts,  whose  practicality  does  not  suffer  from  complicated  transition 
labels  including  causal  orders  [17,  18,  31]. 

Unfortunately,  existing  timed  process  algebras  are,  in  their  original  form,  not  suitable  for  embedding 
Statecharts.  The  reason  is  that  Statecharts  transitions  may  be  labeled  by  multiple  events  and  that  some 
events  may  appear  in  their  negated  form.  The  former  feature  implies  that  —  in  contrast  to  standard  process 
algebras  [1,  12,  24]  -  processes  may  be  forced  to  synchronize  on  more  than  one  event  simultaneously,  and  the 
latter  feature  is  similar  to  mechanisms  for  handling  priority  [4].  Moreover,  our  framework  must  include  an 
operator  similar  to  the  disabling  operator  of  LOTOS  [3]  for  resembling  state  hierarchy  [32].  Our  Statecharts 
Process  Language  combines  these  well-known  concepts  in  a  single  process  algebra,  which  is  expressive  and 
flexible  enough  for  embedding  several  Statecharts  variants,  as  we  will  show  below. 

3.1.  Syntax.  Formally,  let  A  be  a  countable  set  of  events  or  ports,  and  let  o'  ^  A  be  the  distinguished 
clock  event  or  clock  tick.  Based  on  A,  we  define  input  actions  in  SPL  to  be  of  the  form  (E,N),  where 
E,N  C  A,  and  output  actions  E  to  be  subsets  of  A.  In  case  of  the  input  action  (0,0),  we  speak  of  an 
unobservable  or  internal  action,  which  is  also  denoted  by  •.  Moreover,  we  let  A  stand  for  the  set  of  all 
input  actions.  In  contrast  to  CCS  [24],  the  syntax  of  SPL  includes  two  different  operators  for  dealing  with 
input  and  output  actions,  respectively.  The  prefix  operator  “(£;,iV).”  only  permits  prefixing  with  respect  to 
input  actions  {E,  N)  which  are  instantly  consumed  in  a  single  step.  Output  actions  E  are  signaled  to  the 
environment  of  a  process  by  attaching  them  to  the  process  via  the  signal  operator  “[F?](j(-).”  They  remain 
visible  until  the  next  clock  tick  a  occurs.  The  syntax  of  SPL  is  given  by  the  following  BNF 

P  0  I  a:  I  {E,N).P  [  [E]a{P)  \  P  +  P  \  P  >  P  \  P  P  \  P\P  \  P\L 

where  L  C  A  is  a  restriction  set,  and  X  is  a  process  variable  taken  from  some  countable  domain  V.  We  also 
allow  the  definition  of  equations  X  ^  P,  where  variable  X  is  assigned  to  term  P.  If  X  occurs  as  a  subterm 
of  P,  we  say  that  X  is  recursively  defined.  We  adopt  the  usual  definitions  for  open  and  ‘closed  terms  and 
guarded  recursion,  and  refer  to  the  closed  and  guarded  terms  as  processes  [24].  The  symbol  V  denotes  the 
set  of  all  processes  and  is  ranged  over  by  P  and  Q.  Finally,  the  operators  >  and  >0-  -  called  disabling  and 
enabling  operator,  respectively  -  allow  us  to  model  state  hierarchy. 

3.2.  Operational  Semantics.  The  operational  semantics  of  an  SPL  process  P  G  P  is  given  by  a 
labeled  transition  system  (P,.4U  {a}, — ^'jP),  where  V  is  the  set  of  states,  .4U  {cr}  the  alphabet,  — >C 
V  X  (.4U  {cr})  X  V  the  transition  relation,  and  P  the  start  state.  We  refer  to  transitions  with  labels  in  A  as 
action  transitions  and  to  those  with  label  a  as  clock  transitions.  For  the  sake  of  simplicity,  we  write  P  P' 
instead  of  (P,  {E,N),P')  €  — ^  and  P  P'  instead  of  {P,a,P')  6  — We  say  that  P  may  engage  in  a 
transition  labeled  by  {E,N)  or  a,  respectively,  and  thereafter  behave  like  process  PL  The  transition  relation 
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event  in  E  and  if  all  events  in  N  are  restricted.  Finally,  process  variable  X ,  where  X  —  P,  is  identified  with 
a  process  that  behaves  as  a  distinguished  solution  of  the  equation  X  =  P, 

Table  3.3 

Operational  semantics  (clock  transitions) 


tAct 


{E,N).P-^  (E,N).P 


tOut 


[EHP)  ^  P 


tSum  ■ 


Q^Q' 
P  +  Q-^P’  +  Q' 


tPar  ^  ^  I(P  1 Q)  tNil 


tRes 


P\Q-^P'\Q' 

P-^P'  ^ 

P\L-^P'\L* 


0-^0 


Pc>Q^P't>Q' 


il{P\L) 


tRec 


X  =  P  tEn 


P  ><r  Q  P'  >  Q 


The  operational  rules  for  clock  transitions  deal  with  the  maximal  progress  assumption,  i.e.,  if  •  £  I(P)  =df 
{{E,  N)  I  3P'.  P-^  P')  then  a  clock  tick  a  is  inhibited.  The  reason  that  transitions  other  than  those  labeled 
by  •  do  not  have  pre-emptive  power  is  that  these  only  indicate  the  potential  of  progress,  whereas  •  denotes 
real  progress  in  our  framework.  Rule  tNil  states  that  inaction  process  0  can  idle  forever.  Similarly,  process 
{E,N).P  may  idle  for  clock  a,  whenever  {E,N)  7^  •.  The  signal  operator  in  process  [P]cr(P),  which  offers 
communications  on  the  ports  in  E  to  its  environment,  disappears  as  soon  as  the  next  clock  tick  arrives  and, 
thereby,  enables  process  P.  Time  has  to  proceed  equally  on  both  sides  of  summation,  parallel  composition, 
and  disabling,  i.e.,  P  +  Q,  P\Q,  and  P  >  Q  can  engage  in  a  clock  transition  if  and  only  if  both  P  and 
Q  can.  The  side  condition  of  Rule  tPar  implements  maximal  progress  and  states  that  there  is  no  pending 
communication  between  P  and  Q.  The  reason  for  the  side  condition  in  Rule  tRes  is  that  the  restriction 
operator  may  turn  observable  input  actions  into  the  internal,  unobservable  input  action  •  (see  Rule  Res) 
and,  thereby,  may  pre-empt  the  considered  clock  transition.  Finally,  Rule  tEn  states  that  a  clock  tick  switches 
the  enabling  to  the  disabling  operator.  Rule  tRec  does  not  require  extra  explanation. 

The  operational  semantics  for  SPL  possesses  several  pleasant  algebraic  properties  which  are  known  from 
timed  process  algebras  [11,  35],  such  as  (i)  the  idling  property,  i.e.,  •  ^  I(P)  implies  3P'  6  P.P  P',  for 
all  P  €  P,  (ii)  the  maximal  progress  property,  i.e.,  3P'  €  P.P  P'  implies  •  ^  I(P),  for  all  P  £  P,  and 
(iii)  the  time  determinacy  property,  i.e.,  P  P'  and  P  P"  implies  P'  =  P",  for  all  P,P',P"  £  P. 
Moreover,  the  summation  and  parallel  operators  are  associative  and  commutative. 

3.3.  A  Behavioral  Equivalence.  As  shown  above,  the  SPL  operational  semantics  interprets  pro¬ 
cesses  as  labeled  transition  systems.  However,  from  a  semantic  point  of  view,  several  transition  systems 
might  describe  the  same  observable  system  behavior.  For  coping  with  this  situation,  standard  process  alge¬ 
bras  introduce  behavioral  equivalences  which  relate  processes,  or  transition  systems,  that  describe  the  same 
intuitive  behavior.  One  popular  behavioral  equivalence  is  bisimulation  [24]  which  may  be  adapted  to  cater 
for  SPL  as  follows. 

Definition  3.1  (Bisimulation).  Bisimulation  equivalence,  ~  C  P  x  P,  is  the  largest  symmetric  relation 
such  that  whenever  P  Q,  the  following  conditions  hold. 

1.  I(P)  C  S(Q) 

2.  IfP^  P'  then  3(5'  GV.Q^Q'  and  P'  ~  Q'. 
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Table  4.1 

Embedding  of  the  Example  Statechart 


been  triggered.  Accordingly,  it  offers  the  events  in  A  until  the  current  macro  step  is  completed,  i.e.,  until  a 
clock  transition  is  executed.  In  order  to  ensure  global  consistency,  process  t  also  offers  the  events  in  ED^U. 
It  is  worth  noting  that  SPL’s  two-level  semantics  of  action  and  clock  transitions  allows  for  broadcasting 
events  using  SPL’s  synchronization  mechanism  together  with  its  maximal  progress  assumption. 

We  now  return  to  our  introductory  example  by  presenting  its  formal  translation  to  SPL  in  Table  4.1, 
left-hand  side.  The  embedding’s  operational  semantics  is  depicted  on  the  right-hand  side  of  Table  4.1,  where 
^2  \>a  {{&}5 and  0  >  ({fe},{'^a}).i3.  Moreover,  the  initial  output  action  set  ]I(P),  for 

some  P  e  V,  is  denoted  next  to  the  ellipse  symbolizing  state  P,  and  the  sets  TV'  appearing  in  the  label 
of  transitions  are  underlined  in  order  to  distinguish  them  from  the  sets  E\  Let  us  have  a  closer  look  at 
the  leftmost  path  of  the  transition  system,  which  passes  the  states  (ns  |  ns),  (ti  |  ns),  (ti  |  ^2),  (0  |  /i),  (0  |  ts), 
and  (0 1 0).  The  first  three  states  are  separated  from  the  last  three  states  by  a  clock  transition.  Hence,  the 
considered  sequence  corresponds  to  two  “potential”  macro  steps.  We  say  “potential,”  since  macro  steps  only 
emerge  when  composing  our  Statecharts  embedding  with  an  environment  which  triggers  macro  steps.  The 
events  needed  to  trigger  the  transitions  and  the  actions  produced  by  them  can  be  extracted  from  a  macro¬ 
step  sequence  as  follows.  For  obtaining  the  trigger,  consider  all  transition  labels  (P,  TV)  occurring  in  the 
sequence,  add  up  all  events  in  components  E,  and  include  the  negations  of  all  positive  events  in  components 
TV.  Regarding  the  generated  actions,  consider  the  set  of  positive  events  in  the  initial  output  action  sets  of 
the  states  preceding  the  clock  transition  which  signals  the  end  of  the  macro  step.  Thus,  the  first  potential 
macro  step  of  the  example  sequence  is  triggered  by  -^a  and  produces  events  h  and  c,  whereas  the  second  is 
triggered  by  h  and  produces  a.  The  state  names  along  a  sequence  also  indicate  the  transitions  which  have 
fired.  More  precisely,  whenever  a  state  includes  a  variable  t  G  T  at  its  top-level,  transition  t  participates  in 
the  current  macro  step.  Thus,  for  the  first  potential  macro  step,  transitions  ti  and  t2  are  chosen,  whereas 
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corresponds  to  the  firing  of  ti  in  s.  Vice  versa,  if  (Env^  |  |sl)  \  A  is  the  origin  of  an  SPL  path  to  a  process 
which  can  only  engage  in  a  clock  transition  to  {0\P')  \  A  and  which  mimics  the  triggering  of  a  transition 
sequence  T  =  (ti, . . .  then  T  can  be  generated  by  the  step-construction  function  relative  to  s  and  E. 
Moreover,  |update(s,T)]  =  P'. 

The  formalization  of  the  above  intuition  requires  the  following  auxiliary  properties,  where  s  €  SC  and 
E,ACU.  Here,  T  stands  for  an  arbitrary  prefix  of  the  above  transition  sequence  {h,...  ,tk)  interpreted  as 
set,  i.e.,  T  =  {h,.  ..,*/}  for  some  0<l<k,  and  act(T)  stands  for  Utex 

1.  3t  e  enabled(s,  P,  j4,T)  \  T  implies  |s,T|'^P'  for  some  E',N'  C  A  and  P'  G  V,  such  that  P'  = 

[s,r  U  {t}l  E'  =  (ev(t)  n  n)  \  act(T),  and  N'  =  n  -H)  U  -act(t). 

2.  |s,T|  P'  for  some  E'  C  E,  N'  n  {E  U  -<A)  =  0,  and  P'  G  V  implies  3t  G  T.  P'  =  [s,TU  {t}l, 
t  G  enabled(s,P,  A,T)  \T,E'  =  (ev(f)  n  H)  \  act(r),  and  N'  =  -i(ev(f)  n  -.H)  U  -.act(t). 

3.  enabled(s,P,  A,T)  \  T  =  0  implies  |s,ri  P'  for  some  P'  G  V,  where  P'  =  |update(s,T),0],  and 
V{P',  N')  G  I([s,  T]).  P'  \  P  0  or  AT'  n  (P  U  -.A)  7^  0. 

4.  |s,  T]  P'  for  some  P'  G  V  and  P'  \  P  7^  0  or  AT'  n  (P  U  ->A)  ^  0  for  all  (E',N')  G  I(|s,T]) 
implies  enabled(s, P,  A,T)  \  T  =  0  and  P'  =  Iupdate(s, T), 01- 

The  above  properties  establish  a  micro-step  level  relationship  between  Statecharts  terms  and  the  processes 
occurring  in  their  embedding.  The  proof  of  each  property  can  be  done  by  induction  on  the  structure  of  s  and 
uses  our  extensions  of  the  enabled  function  (cf.  Section  2.3)  and  the  embedding  mapping  (cf.  Section  4.2).  □ 

5.2.  Preservation  Results.  We  close  the  technical  part  by  returning  to  the  behavioral  relation  ~  of 
bisimulation  equivalence.  First,  we  state  a  preservation  result  involving  ~  and  SPL’s  macro-step  semantics. 

Theorem  5.3.  Let  P,  P',  Q  gV  such  that  P  Q  and  P=^P'.  Then  3Q'  G'P.Q=^Q'  and  P'  Q' . 

The  validity  of  this  theorem  relies  on  the  congruence  property  of  ~  for  SPL.  When  combining  the  insights 
obtained  by  establishing  Theorems  5.2  and  5.3,  one  may^  derive  the  following  corollary  which  relates  bisim¬ 
ulation  equivalence  and  Statecharts  macro-step  semantics. 

Corollary  5.4.  Let  P,  A  C  H,  s  G  SC,  and  P  G  P  such  that  [s]  ~  P.  Then 

1.  Vs'  G  SC.  s=^s'  implies  3P'  G  V.P=f-P'  and  |s'|  ~  P'.  • 

2.  VP'  G  P.  P  P'  implies  3s'  G  SC  s  s'  and  [s']  ~  P'. 

6.  Adaptability  to  Other  Statecharts  Variants.  For  Statecharts,  a  variety  of  different  semantics 
has  been  introduced  in  the  hterature.  The  comparison  paper  [34]  surveys  over  twenty  Statecharts  variants. 
In  this  section,  we  show  how  our  approach  can  be  adapted  to  these  variants  and,  thereby,  testify  to  its 
flexibility.  We  focus  on  the  most  relevant  issues  of  Statecharts  semantics,  which  are  identified  in  [34]. 

As  is  immanent  in  this  paper,  we  favor  an  operational  semantics  over  a  denotational  one,  since  we 
feel  that  operational  models  are  more  intuitive  and,  therefore,  easier  to  understand.  Moreover,  operational 
models  provide  an  immediate  interface  to  verification  tools  which  implement  state-exploration  techniques. 
An  important  observation  of  this  paper  is  that  the  concept  of  a  single,  global  clock  together  with  maximal 
progress  is  the  key  to  providing  a  compositional,  causal  state-machine  semantics  for  Statecharts.  Although 
the  semantics  is  defined  on  the  micro-step  level,  it  allows  for  an  easy  identification  of  macro  steps.  The  clock 
enforces  global  synchronizations  which  mark  the  beginning  and  end  of  macro  steps.  Thus,  macro  steps  are 
represented  as  sequences  of  micro  steps,  which  encode  the  underlying  causality  of  Statecharts  semantics. 
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compositionality  holds  on  the  micro-step  level,  i.e.,  the  level  of  SPL  action  transitions,  whereas  responsiveness 
and  causality  is  guaranteed  on  the  macro-step  level,  i.e.,  the  level  on  which  sequences  of  SPL  action  transitions 
between  global  synchronizations,  caused  by  clock  ticks  a,  are  bundled  together. 

Uselton  and  Smolka  [31]  and  Levi  [17]  also  focused  on  achieving  a  clean,  compositional  semantics  for 
Statecharts  by  referring  to  process  algebras.  In  contrast  to  our  approach,  Uselton  and  Smolka’s  notion  of 
transition  system  involves  complex  labels  of  the  form  {E,  -<),  where  E  is  a  set  of  events  and  -<  a  transitive, 
irreflexive  order  on  E,  for  encoding  causality.  Unfortunately,  their  semantics  suffers  from  some  serious 
problems,  as  pointed  out  in  [17,  18].  Essentially,  the  semantics  does  not  correspond  -  as  intended  -  to  the 
Statecharts  semantics  of  Pnueli  and  Shalev  [28].  Levi  repaired  this  shortcoming  by  modifying  the  domains  of 
the  arguments  of  •<  to  sets  of  events  and  by  allowing  empty  steps  to  be  represented  explicitly.  However,  we 
believe  that  our  semantics,  where  labels  do  not  contain  any  order  at  all,  profits  from  improved  readability. 

Maggiolo-Schettini  et  al.  considered  a  hierarchy  of  equivalences  for  Statecharts,  including  isomorphism 
and  bisimulation,  and  studied  congruence  properties  with  respect  to  Statecharts  operators  [18].  For  this 
purpose,  they  defined  a  compositional,  operational  macro-step  semantics  of  Statecharts,  which  slightly  differs 
from  the  one  of  Pnueli  and  Shalev  since  it  does  not  allow  the  step-construction  function  to  fail.  In  their 
semantics,  labels  of  transitions  consist  of  four-tuples  which  include  information  about  causal  orderings, 
global  consistency,  and  negated  events.  This  complexity  prohibits  an  intuitive  understanding  of  Statecharts 
semantics  and  an  easy  integration  with  existing  analysis  and  verification  tools.  However,  it  should  be  noted 
that  the  semantic  framework  presented  in  [18]  serves  well  for  the  purpose  of  studying  certain  algebraic 
properties  of  equivalences  on  Statecharts,  such  as  fully-abstractness  results  and  axiomatizations  [14,  15]. 

Another  popular  design  language  with  a  visual  appeal  like  Statecharts  and,  moreover,  a  solid  algebraic 
foundation  is  Argos  [20].  However,  the  semantics  of  Argos,  defined  via  SOS  rules  as  labeled  transition  systems, 
significantly  differs  from  classical  Statecharts  semantics.  For  example,  Argos  is  deterministic,  abstracts  from 
“non-causal”  Statecharts  by  semantically  identifying  them  with  a  failure  state,  and  allows  a  single  parallel 
component  to  fire  more  than  once  within  a  macro  step. 

Interfacing  Statemate  [10]  to  model-checking  tools  is  a  main  objective  in  [16]  and  most  recently  also 
in  a  series  of  papers  by  Mikk  et  al.  [21,  22,  23].  The  first  paper  of  this  series  includes  a  formalization  of 
the  semantics  of  Statemate,  as  defined  in  [8],  within  the  specification  formalism  Z  [30].  The  second  paper 
describes  a  translation  from  a  subset  of  Statemate  to  hierarchical  state  automata  which  may  be  mapped  to 
the  specification  language  of  the  verification  tool  Spin  [13],  as  shown  in  Mikk’s  third  paper. 

8.  Conclusions  and  Future  Work.  This  paper  presented  a  process-algebraic  approach  to  defining  a 
compositional  semantics  for  Statecharts.  Our  technique  translates  Statecharts  terms  to  terms  in  the  process 
algebra  SPL  which  is  expressive  enough  to  model  the  semantic  principles  underlying  Statecharts.  SPL  allows 
one  to  encode  a  “micro-step”  semantics  of  Statecharts  in  the  traditional  SOS-style;  it  is  at  this  level  that 
our  semantics  is  compositional,  as  bisimulation  may  be  shown  to  be  a  congruence  for  the  language.  The 
macro-step  semantics  may  then  be  given  in  terms  of  a  derived  transition  relation.  This  semantics  cannot 
be  compositional,  as  results  of  Huizing  and  Gerth  have  shown  [15].  However,  the  algebraic  basis  of  our 
semantics  permits  the  investigation  of,  e.g.,  the  largest  congruence  consonant  within  this  semantics.  Also, 
since  these  sequences  essentially  encode  total  closures  of  causal  orders,  partial  order  methods  might  be  useful 
for  avoiding  unnecessary  state  explosion  in  practice  [6].  Note  that,  although  SPL  is  a  newly  developed  process 
algebra,  all  of  its  semantic  ingredients  have  already  been  studied  in  the  process-algebra  community. 
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